我有一个.NET Core 2 Web api,带有用于登录身份验证的功能。如果凭据无效,则返回 401 未经授权。
法典:
[AllowAnonymous]
[HttpPost("authenticate")]
public IActionResult AuthenticateUser([FromBody] UserResource userResource)
{
if (string.IsNullOrWhiteSpace(userResource.UserName))
{
ModelState.AddModelError("CheckUserName", "The username can not be empty or whitespace only string");
return BadRequest(ModelState);
}
if (string.IsNullOrWhiteSpace(userResource.Password))
{
ModelState.AddModelError("CheckPassword", "The password can not be empty or whitespace only string");
return BadRequest(ModelState);
}
var user = repository.AuthenticateUser(userResource.UserName, userResource.Password);
if (user == null)
return Unauthorized();
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(appSettings.Secret);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.Name, user.Id.ToString())
}),
Expires = DateTime.UtcNow.AddMinutes(120),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha512Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
var tokenString = tokenHandler.WriteToken(token);
// return basic user info (without password) and token to store client side
return Ok(new
{
Id = user.Id,
Username = user.UserName,
FirstName = user.FirstName,
LastName = user.LastName,
Token = tokenString
});
}
我想具体说明用户名和密码之间的身份验证过程中出了什么问题。最好的方法是什么?
谢谢!
最后,我决定在用户名不正确的情况下返回BadRequest,在用户名正确但密码错误的情况下返回未授权。这个想法是,如果提供的用户名不正确,最好拒绝无效的请求,而不是未经授权的请求。但我不知道这是否是要遵循的最佳实践。